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Abstract 

Scalar multiplication is an essential operation in elliptic curve cryptosystems because 
its implementation determines the speed and the memory storage requirements. This 
paper discusses some improvements on two popular signed window algorithms for 
implementing scalar multiplications of an elliptic curve point - Morain-Olivos s algorithm 
and Koyama-Tsuruoka’s algorithm. 
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Public key cryptography based on elliptic curves defined over Galois fields (i.e. finite 
fields) was proposed independently by V. Miller and N. Koblitz in 1985. Since then, 
elliptic curves over finite fields have been used in many applications of cryptography, 
such as digital signatures (e.g. Standard ANSI X9.62-1999 [1]) and key agreement and 
transport (e.g., working draft ANSI X9.63-200.* [2]). 

Scalar multiplication is an essential operation in an elliptic curve cryptosystem 
because its implementation determines the speed and the storage requirements of elliptic 
curve cryptosystems. Several algorithms on this operation have been described in 
cryptography literature. The paper discusses some improvements that were developed for 
two popular signed window algorithms for implementing scalar multiplications of an 
elliptic curve point - Morain-Olivos ’s and Koyama-Tsuruoka’s algorithms. 

The first three sections provide a review of some basic information on the scalar 
multiplication operation in an elliptic curve cryptosystem and the signed window 
algorithms. Section 4 reviews Morian-Olivos’s algorithm and shows a generalization of 
the algorithm for more general patterns of the scalar term involved in the scalar 
multiplication. Section 5 provides a review of Koyama-Tsuruoka's algorithm and show 
how to improve its applications for a more general binary expansion of the scalar term in 
a scalar multiplication operation. 

1. Scalar multiplication in elliptic curve cryptosystems. 

Given a point P = (x,y) on an elliptic curve E and an integer k, the scalar 
multiplication kP is defined by the recursive addition: 

kP = P + P + • • • + P , if k > 0, and kP = (-k)(-P), if k < 0. 

k terms 


l 


When k = 0, then OP = O, the point at infinity. Since the inverse point - P is obtainable 
at almost no cost, as is shown in the following table, from now on, k may be assumed to 
be positive. 


y 2 = x 3 + ax + b (over F p where prime p * 2, 3) 

-P = (x,-y) 

y 2 + xy = x 3 + ax 2 + b (non-supersingular elliptic curve over F 2 „ ) 

-P = (x,y + *) 

y 2 + cy = x 3 + ax + b (supersingular elliptic curve over F 2 „ ) 

- P = (x,y + c) 


Table 1. Additive inverse of an elliptic curve point P = ( x , y ) 


Scalar multiplication is the analog to raising an element to the k- th power of a 
number, modulo n. The research problem is to compute the elliptic curve point kP with 
the minimum number of addition operations. The information in Table 1 will be used 
when dealing with subtraction. The subtraction by a point P is simply addition with its 
additive inverse point - P . 

2. Some basic algorithms for implementing scalar multiplications 

This section gives a brief review of some basic algorithms available in cryptography 
literature and implementations. More detailed information can be found in the referenced 
papers. 

2.1. The most basic method is the double-and-add method that uses the binary 
expansion of the integer k. Let k = (k r _ x ,...,k 0 ) in base 2, where r = [_log 2 &J+l. Let 
p r _, = P. Compute P x _ x = 2P t + k x P, for all i, r-2>i>0. This produces 
kP = P , = 2P 0 + k 0 P. This method requires (r - 1) doublings and, probabilistically, about 
(r-l)/2 additions. Observe that the number of arithmetic operations can be reduced 
when the number of bits 0 is increased. This is the basic idea for methods that try to 
improve on the implementation of scalar multiplications. 

2.2. An improved method for implementing scalar multiplication is the addition- 
subtraction method. For elliptic curve implementations, the methods that include 
subtractions are more attractive than the corresponding methods that include divisions in 
calculating powers of an element in finite fields. The reason is that division or inversion 
in finite fields is a more costly operation than multiplication, while subtraction is just as 
costly as addition in elliptic curve operations. 

An addition-subtraction method is recommended in the Standard ANSI X9. 62- 1999 
[1] and the working draft for ANSI X9.63 [2] that uses the binary expansion of k and 3k. 
Let l = 3k = and k = (k r _ v ...,kj such that the leftmost bit l r _ x must be 1. Let 

P r _ x = P. Compute />_, =2/> + for all i, r-l>/>2, resulting in 

kP = P x = 2P + (/, - k x )P. This method requires (r-2) doublings and, probabilistically, 
about (r- 2)12 additions/subtractions. 

2.3. Another improved version is called the m-ary (or 2' y -ary) method. In this method, 
the m-ary expansion is used instead of the binary form, where m = 2 d , and d> 1. The 
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binary expansion of the scalar k = (k s _ x ,...,k 0 ) is padded with an extra number of bits 0 to 
the left side of the bit string, if necessary, to make s = dr for some integer r. This 
produces the m-ary expansion of k of the form k = (K r _ v ...,K 0 ), where each K i is a r/-bit 

string, and K r _ { *(0--0). Pre-compute all points 2 P, 3P,...,(2‘ i -1 )P. These points will 
include all possible points of the form K t P. The algorithm is similar to the basic binary 
algorithm. This method requires (2 rf - 2) pre-computations (and hence memory storage), 
{r-\)d-s-d doublings and, probabilistically, about (r-l)(l-2 rf ) additions. 
Observe that the larger d is, the more pre-computations are needed. With a little calculus, 
the optimal value of d can be found that will minimize the total number of additions. 

2.4. Another algorithm is the addition -subtraction method using non-adjacent form 
(NAF). The canonical non-adjacent form of the scalar k employs a signed binary 
expansion (using 0 and ± 1 ) that has the property that no two consecutive coefficients are 
nonzero. The NAF of an integer is unique and has the fewest nonzero digits of any 
signed binary expansions. There are a few ways to construct the NAF. The addition- 
subtraction method requires (r — 1) doublings and, probabilistically, about (r — 1)/3 

additions. 

It is possible that the addition-subtraction method can be combined with the 2 d -ary 
method. In particular, the addition-subtraction method using the 2 rf -ary NAF form is a 
binary form with the property that there is at most one non-zero term in d consecutive 
coefficients. This form always uniquely exists and is easy to compute. The computing 
method is similar to that for the NAF form, except that the corresponding quotient 
corresponding to the non-zero remainder must be divisible by 2 d '. The pre-computation 
process must store the values of all points: ±P, ±3 P,..., ± (2 d ~ l - 1 )P. 

3. Signed window algorithms 

More advanced methods for implementing scalar multiplications are referred to as 
window methods. The basic one is called the Sliding window method. (Refer to [6]). 
This method’s purpose is to separate zero words so that an addition in the m-ary method 
discussed above can be skipped. (A zero word is defined as a bit string of only 0’s.) 

Instead of decomposing k = (k s _ t k 0 ) into d- bit length words of fixed d, 

decompose k into zero and nonzero words, or windows W ( of varying lengths l t . Let d be 
the maximum length of all nonzero windows. Then pre-compute only the points of odd 

scalar multiples: 3 P, 5 P (2 rf -l )P. Let* = (W r W„), where W r _, is a non-zero 

window (or window number). There are two strategies to partition a binary expansion 
into windows: constant length nonzero windows and variable length nonzero windows. 

• Constant length nonzero windows: This strategy tries to produce zero windows of 
arbitrary length and nonzero windows of a fixed length d. A nonzero window 
will start when a bit 1 is encountered as the bits are scanned from the rightmost bit 
to the leftmost bit. 

• Variable length nonzero windows: This strategy tries to produce nonzero 
windows whose right-end and left-end bits are both 1. Two parameters are to be 
chosen optimally in order to decrease the average number of nonzero windows: 
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the maximum length d of nonzero windows and the maximum number r of 
adjacent 0’s allowed inside any nonzero window. 

Signed binary window algorithms are more advanced. Their strategy is to transform a 
binary expansion into a signed binary expansion. The algorithms using signed 
expansion are much more efficient in implementing elliptic curve operations than in 
implementing the modular exponentiation operations, since subtraction is just as costly as 
addition. The purpose of these algorithms is to skip a bit string of all l’s to reduce the 
number of additions. Two popular algorithms mentioned in cryptography literature are 
reviewed in the following sections - Morain-Olivos s and Koyama-Tsuruoka s 
algorithms. Improvements are developed for these two algorithms. 

4. Morain-Olivos’s algorithm and its improvement 
4.1. Basic technique (Refer to [8]) 

This algorithm reduces the weight of the signed binary expansion, i.e., the number of 
non-zero digits in the expansion. The idea is that a block of n bits 1 can be replaced by a 
bit string that is a block consisting of a bit 1 followed by n bits 0 and then minus 1. That 
is, 1 1- - -1 = 100 - 0-1. This observation is extracted from an arithmetic equality, that can 

nbits /i bits 

be easily verified: T* x - 1 = (2" + 2 n ~' +• • -+2 1 + 2°). 

As a result, (n-1) doublings and (ai — 1) additions (i.e., 2(/i-l) total additions) can 
be replaced by n doublings and 1 subtraction (i.e., (n +1) total additions). In other words, 
this method tries to construct two positive integers k + and k_ such that k + -k_= k. The 
total computation for (k + - k_ )P is less than that for kP. Note that there are not two 
separate computations of k + P and k_P, but actually the computations merge together: 
k_P only shows up in a few subtractions corresponding to the positions of its bits 1 in the 
scalar k. 

Example: 183 10 =1 OH Q1U, = j 1001000 - 0 0010001 = k + - k_ =1101 lM- Then by a 
binary method, 183P = 2 3 (2[2 2 (2P + P) - P] + P)~ P, where the two subtractions 
correspond exactly to the two bits 1 in the expansion of k_ =00010001, or two bits 1 . 
Using a sliding window method, the following can be written: 

183 10 =101 101 1 1 2 = 1 1001000 - 00010001 = 1 1011001 and 183P = 2 4 (12P-P) + 8P-P. 

The same idea can deal with a special string that has isolated 0 s. Observe that. 
k =l -101-l = 10 - 0l0 - 01 = 10 0-O O - O i p ••••••0 1, where l denotes -1, and 

mbits nbits (m-l)bits n+m-t- 1 bits nbits (m-l)bits 

m is assumed to be greater than or equal to 2. This observation is extracted from the same 
equality described above and applied twice. Then the following formula can be obtained: 

kP = 2 m (2 n+l P - P) - P. 

That is, an isolated 0 inside a block of bits 1 will contribute only two 
subtractions/additions and one extra doubling, instead of (n + m - 1) additions. 

Refer to [8] for detailed estimations of the implementation cost. In summary, the 
algorithm reduces the number of operations (additions and doublings) by about 3% for 
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100-digit numbers and by 2.7% for 300-digit numbers. Refer to the work of [4] for 
similar approaches. 

4.2. Improvement: A generalization of Morain-Olivos’s algorithm 

In this section, I will generalize the Morain-Olivos’s algorithm to show that it can be 
applied in additional cases of scalar multiplication operations. The above approach 
applies only to the case where the scalar k = l--10f^vl . I will show that a more general 

"TbuT mbi,s 

pattern of k is also applicable. 

Indeed, for k being a string of ( b - 1) isolated bits 0 sandwiched among b blocks of 
bits 1, where b is larger than 2, the following can be written: 

k =1 10-1 lQl- • ••1 = 1 0 0 -0p- -01- p - - 0 1 0 - - 0 1, 

N»_, bits N,, bits N l +-+N„Hb - Dbits N, bits Af*_,b,ts (N„-l)bits 

assuming N b > 2. This observation is also derived from the above equality: 
2 n+l - 1 = (2" + 2"' 1 +• • -+2 1 + 2°). Then the following formula can be obtained: 

kP = 2 n > (2* M +l [• • • (2 N ' + 'P-P)-]-P)-P. 

This formula generalized dramatically the application of Morain-Olivos s algorithm 
for the case where b = 2 only to the case where b is any positive number that is greater 
than 2. 

By applying this algorithm, (A, +• • -+N b - 1) additions were replaced by only b 
subtractions/additions and one extra doubling. The savings in the number of arithmetic 

operations are significant when the sum (A, H ^N b ) is much larger than b, which 

should be obtainable for those cases of k. 

Example: 1 83 10 = 1 0 lj 0 1JJ 2 = 100000000 - 001 001 001 = lOlOOlOOL Then 

1 83P = 2 3 [2 3 (2 2 P - P) - P] - P. 

1467 10 =10110111011, = 1 00000000000 - 001001000101 = I 0 I 00 I 000 I 0 L Then 
1467 P = 2 2 (2 4 [2 3 (2 z P - P)-P]-P)~ P. 

This improvement expands the domain of applicable patterns in the binary expansion 
of the scalar k in the Morain-Olivos’s algorithm. This generalized algorithm can be 
improved dramatically if the direct multiplication formulae (refer to [3]) can be employed 
to calculate the points 2 rf P , where d is up to the maximum number N, needed in the 
above formula for kP. 

5. Koyama-Tsuruoka’s algorithm and its improvement 
5.1. Basic technique (Refer to [7]) 

The Koyama-Tsuruoka’s algorithm attempts to increase the average length of zeros 
and decrease the weight in the signed binary expansion using {l,0,l}, where I denotes 
— 1. Denote the number of bits 0 (and, respectively, bits 1) in a bit string B by# 0 (B) 
(and, respectively, #,(5))- 

A binary string of a non-zero window B = (l,& n ,...,£> p l) in k will be transformed to a 
signed binary string of the form T = (l,0,t n ,...,t p I), where t i = b t - 1, for all 1 < 1 < n. 
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This transformation is effective (i.e. actually decreases the weight of the bit string) only 
when the difference between the numbers of bits 1 and bits 0 in B is: 
Diff(B) =#, (P)-# 0 (B) > 2. However, keep in mind that the transformation also costs 

one extra doubling because of the extra bit. This transformation is extracted from an 
arithmetic equality that is also easily verified: 

2»*2 _ 2»+i _ 2 n+1 =(2" +2”' 1 +--- + 2 1 +l + l). 

Using the relationship 1 = - t n for all 1< i < n, then 

2 n * 2 + (^2 n +t n _ x 2 n ~ ] + — i- f, 2 1 +l)=2" +I +{b n 2 n + £>„_, 2 n ~' 4 +b { 2' + l). 

Using this method, one needs to pre-compute only ±3P,±5P,...,±(2 rf -3 )P, since 
the algorithm never allows terms of the form ± (2 rf - 1)P to appear. 

Example: 183 10 =101i01H 2 = 10U 1001. Then 183 P = 16(1 IP) + IP. 

743,0 = 10111 00111 , = lOlOOi 01001 . Then by a sliding window method with d = 5, 

743P = 2 5 (2 5 P-9P) + 7P. 

A similar idea to Koyama-Tsuruoka’s algorithm was also discussed in [5]. Refer to 
[7] for a detailed performance evaluation and comparison. 


5.2. An Improvement of Koyama-Tsuruoka’s algorithm 

The Koyama-Tsuruoka’s algorithm is applied for the non-zero window (l,6 n ,1) 

only. This limits its application. In this section, I will show how to significantly improve 
this algorithm for any binary expansion. 

Instead of working only on a non-zero window, consider an arbitrary bit string 
k = 0 b n ,...,b { ,b 0 ), where, without loss of generality, b n =1 can be assumed. For all 0 < * < 
n, let *.=£>,- 1, then insert the relation \ = t i +b l into the arithmetic identity: 
2 n+1 = (2” + 2"' 1 + • ■ • + 2 1 + 2°)+ 1 , to obtain the following identity: 

2"*' +((,2" +••■ + (, 2 , )+/ 0 2°-l = (b,2- *b,_, 2-' +- + 4j' 2 , +i>„2“). 

When b 0 = 1, then t 0 = 0. This approach will transform k into the string of digits 
T = (l,f n ,...,f,,l) , where the last digit 1 = — 1. This is Koyama-Tsuruoka’s algorithm for a 


non-zero window B = (b n ,...,b { , 1). 

When b 0 = 0, then r 0 =_1 - This app r0ach wil1 transform k = (b n ,...,b v 0) into the 
string of digits T = (1, t x ,2 ) , where the last digit 2 = -2. This last digit does not 

affect the scalar multiplication ( kP ) at all. In the very last step of a given scalar 
multiplication algorithm, subtract a double of a point 2P instead of the point P itself. The 
point 2 P is available for free since it is always computed during the process. If other m- 
ary methods or window methods are used, the digit 2 is obviously not a concern anyway. 
Only some minor changes are needed in the pre-computations. 

Example: 742 10 = 101 1 1001 10, = 1 0l000ll002 ,. Then by a sliding window method, 

743P = 2 5 (2 5 P-8P)-26P. 

The number of non-zero digits in T is 
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# non _ o( r ) = 2 + ZH = 2 + Zh - 1 I = 2+ Z 1 = 2 + # o( r>, where k={b n ,...,b x ). 

i=l i = 1 ]£t£n,6j=0 

Hence, this transformation is effective if the condition 2 +#„(&’) <#, (&) is satisfied. The 
transformation costs one extra doubling because of the extra bit. Since # 0 ( k ) =# 0 ( k ) — 1, 

the condition can be rewritten as: Diff ( k ) =#, (k)-# 0 (k) > 1. 

Therefore, Koyama-Tsuroka’s algorithm can now be applied to any binary bit strings 
that satisfy the previous condition on Diff{k). The improved algorithm dramatically 
expands the application of the original algorithm by removing the limit of applying only 
on non-zero window pattern. 

6. Conclusions 

The intention is to modify or to develop methods using some digits other than just 
bits 0 and 1 in the standard binary expansion of the scalar k of the scalar multiplication. 
The benefit of using the 2 digit in the expansion is because of the availability of the point 

2 P in the (pre-)computation processes. Using “negative” digits (e.g., 1 = -1 or 2 = — 2 ) 
has great benefits since the cost of subtraction is the same as that of addition in elliptic 
curve implementations. This is a considerable improvement to the approaches for 
developing new algorithms to improve the efficiency of implementations of scalar 
multiplication operations in elliptic curve cryptosystems. 

This paper presented two improvements on two popular signed window algorithms 
for scalar multiplications implemented in elliptic curve cryptosystems. The first 
improvement on Morain-Olivos’s algorithm helped to expand its domain of applicable 
patterns in the binary expansion of the scalar k. The improvement on Koyama- 
Tsuruoka’s algorithm expands the application domain from non-zero windows to any 
binary expansion of k satisfying the condition on the difference on the numbers of bits 0 
and 1. These two improvements facilitate the efficiency of implementation of scalar 
multiplication in elliptic curve cryptosystems. 
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